Authorization Header Exposure in @hapi/wreck HTTP Client Utility
CVE-2026-44979
6.3MEDIUM
What is CVE-2026-44979?
The @hapi/wreck HTTP client utility, prior to version 18.1.1, contains a vulnerability where the standard credential header Proxy-Authorization is forwarded without being stripped when following a 3xx redirect to a different hostname. This behavior could lead to unintended exposure of forward-proxy credentials to untrusted hosts if redirects are enabled. The issue has been addressed in version 18.1.1, ensuring that sensitive headers are appropriately managed during redirects.
Affected Version(s)
wreck < 18.1.1
